Due to the increasing number of recommendations for people to use Virtual Private Networks (VPNs) to protect their privacy, more application developers are creating VPN applications and publishing them on the Apple App Store and Google Play Store. In this 'gold rush', applications are being developed quickly and, in turn, not being developed with security in mind. This paper investigated a selection of VPN applications available on the Apple App Store (for iOS devices) and tested the applications for security and privacy issues. This includes testing for any traffic being transmitted over plain HTTP, DNS leakage and transmission of personally identifiable information (such as phone number, International Mobile Equipment Identity (IMEI), email address, MAC address) and evaluating the security of the tunneling protocol used by the VPN. The testing methodology involved installing VPN applications on a test device, simulating network traffic for a pre-defined period of time and capturing the traffic. This allows for all traffic to be analysed to check for anything being sent without encryption. Other issues that often cause de-anonymization with VPN applications such as DNS leakage were also considered. The research found several common security issues with VPN applications tested, with a large majority of applications still using HTTP and not HTTPS for transmitting certain data. A large majority of the VPN applications failed to route additional user data (such as DNS queries) through the VPN tunnel. Furthermore, just fifteen of the tested applications were found to have correctly implemented the best-recommended tunneling protocol for user security. Outside of the regular testing criteria, other security anomalies were observed with specific applications, which included outdated servers with known vulnerabilities, applications giving themselves the ability to perform HTTPS interception and questionable privacy policies. From the documented vulnerabilities, this research proposes a set of recommendations for developers to consider when developing VPN applications.
[1]
Paul E. Hoffman,et al.
Internet Key Exchange Protocol Version 2 (IKEv2)
,
2010,
RFC.
[2]
Alok Pandey,et al.
A history of data breaches
,
2018,
XRDS.
[3]
Hsinchun Chen,et al.
Dark Web
,
2012,
Integrated Series in Information Systems.
[4]
Tuomas Aura,et al.
Client-Side Vulnerabilities in Commercial VPNs
,
2019,
NordSec.
[5]
Hamed Haddadi,et al.
A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients
,
2015,
Proc. Priv. Enhancing Technol..
[6]
Narseo Vallina-Rodriguez,et al.
An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps
,
2016,
Internet Measurement Conference.
[7]
Glen Zorn,et al.
Securing L2TP using IPsec
,
2001,
RFC.
[8]
Angela Orebaugh,et al.
Guide to IPsec VPNs
,
2005
.
[9]
Jayanth Rajakumar.
OVERVIEW OF TLS CERTIFICATE REVOCATION MECHANISMS
,
2019
.
[10]
Junhong Li.
Design of authentication protocols preventing replay attacks
,
2009,
2009 International Conference on Future BioMedical Information Engineering (FBIE).
[11]
T. Ridley-Siegert.
Data privacy: What the consumer really thinks
,
2015
.
[12]
Zhao Shun Wang,et al.
Security Analysis of MD5 Algorithm in Password Storage
,
2013
.
[13]
D. McLuskie,et al.
X.509 Certificate Error Testing
,
2018,
ARES.